Webtrends Security Scanner (WSS)

(Based on original Asmodeus Security Scanner written by Greg Hoglund).

First of all, thanks for taking the time to test this program.  
Many people have contributed and offered suggestions.  Since this
is a work in progress, you can expect it to change over time.
If you like this program, then please offer your suggestions.
I can be emailed at gregh@webtrends.com.

1. What does it do?  

Two main things: SCANNING and SNIFFING:

Right now, Webtrends Security Scanner (WSS) is capable of scanning ranges of TCP ports
on subnets.  At the time I originally wrote the socket engine, it was the fastest scanner
on the 'net.  Since that time, a few other scanners have been released which are pretty darned fast.  Most of these are commercial and very expensive at that.  WSS can keep up.. I have scanned entire class C's in less than a minute.  You can scan some small countries in one night ;)  I believe WSS can stream along at a modest 30,000 sockets per minute under optimum conditions.  All of the data that is gleaned from the scan is passed through a user-supplied script.  This script allows the you to define what security holes will be checked for.  Also, you can trigger events based on what you find.  If you REALLY want to hear a ".wav" file play every time you find an IMAP service running, go crazy.  You can spawn external processes, or other scripts.   

Also, WSS can promiscously sniff your ethernet segment.  WSS can filter the packets and search them for certain data and
Attack Signatures.  You can log packets to file, or have an external application deal with them.
For instance, you can have your alphanumeric pager software go off if WSS detects a certain kind
of packet (i.e., say a samba packet from a certain address).  Using the built in scripting language,
almost anything is possible.  This gives you the ability to monitor your network 24 hours a day.  

2. How do I install and use it?

SYSTEM REQUIREMENTS: Windows NT 4.0 

WSS doesn't use the registry; it's a stand alone binary.  It must have
all of it's associated script files in the same directory.  The following
is the directory structure you should have after decompressing the 
package:

./WSS.exe
./default.spn
./packets.spn
./Captures/
./Driver/

If any of the ".spn" files are missing, or if the Captures subdirectory
is missing, you will have many dialog boxes popping up with errors.  
Also, make sure the files and directories ARE NOT SET READ-ONLY.  

Windows 95:  Don't try to force WSS to run on Win95.  It may barely work
if you install Winsock 2 first, but WSS opens and manages upwards of 2500
sockets at any given time under NT. Windows 95 has a hard time with just
50+ sockets. 


3. IMPORTANT:  Installing the promiscuous packet driver

Note: If you already have a packet driver like this installed, they 
may not successfully co-exist.

INSTRUCTIONS:
>>
Go into your Network Properties and add a PROTOCOL.  Click HAVE DISK
and supply the path to the WSS "Driver" directory.  You should be able
to select "Asmodeus Packet Driver".  You then have to REBOOT.  
Note: You cannot right click on the OEM file and install it that way. 
Use the network properties instead.
>>


4. Scanning Class C's and Single Machines

To get started, just create a NEW database. Rememberthat everything
you do is based on whatever NODE you currently have selected in the
database.  If you scan a site, then the results of this scan are placed
under the currently selected database node.  

INSTRUCTIONS:

1.  Open or create a NEW database, select the first node (you will see a
little red and yellow arrow highlighting it), and then click on 
SCAN SINGLE IP.  
2.  Enter an IP Address.  The results of the scan are placed in the
database tree.


Try the same thing with the "SCAN CLASS C" button.  This will scan
an entire class C range of machines or 255 machines.

The data that is collected is run through a script file called
"default.spn".  Take a look at this file to see how WSS determines
what to post in the database.  This file is where you will add checks
for new security holes.  As long as you can get a system OS type,
a Service ID, and a Version Number.. you can cross refernence any
number of known security holes.


5. Tuning and Performance

By default, WSS is pretty conservative.  You can change that.  
If you have the machine and the bandwidth, you may want to play with
the "TUNE" button.  This controls the number of threads, the number
of sockets per thread, and the timeout values associated with each socket.  There are some presets available to get you started.  On a PentiumPro 200 with 64 megs of ram, I can use the highest settings on a local IP scan...  If you start getting "out of buffers" errors, you need to tune it down a little.


6. The Internet is just one giant distributed machine.

Ultimately that is what WSS is about, mapping the locations of all the
processes on the Internet.  WSS provides you with a tool to manage 
your "map" of the Internet.  It places everything in a database.  
The World Wide Web (WWW) is NOT a map for the Internet.  
The Web is chaotic cross-pollination and 404 errors.  
The Internet Domain Name System (DNS) is NOT a map either.  
DNS is only a convenient way for people to remember addresses 
(it can change at any time and has very little consistency).  
The TRUE map must be based upon the endpoints of process communication.  
That's what scanners are for. WSS can currently scan TCP services on
IPv4 IP.  WSS detects hosts using ping sweeps.  There are dozens of 
other ways to map out the Internet.  There are diverse scanning methods
including SYN, FIN, SNMP Queries, DNS zone transfers, Netbios over TCP,
and many more.  WSS will address these in the future.



-----------------------------------------------

            SCRIPT FILE REFERENCE

-----------------------------------------------


# a hash mark indicates a comment. Anything after the hash is ignored
until we encounter a newline 


------

IfCompare(substring){function block}

	IfCompare("ZPOP")
	{
	  PostChild("Post Office software.com Zmail", 4);
	  ExpandThis();
	}

This command will compare the substring against the banner retreived
at the current node. If the substring is located, then the block is 
executed. Else, it is skipped. As always, function blocks can be nested 
within one another. Version 1.0 note:  This will work on packet analysis
as well.


------

PostChild(string to be posted, icon number);

	PostChild("Post Office software.com Zmail", 4);

PostChild is fairly simple. It posts information to the database tree. 
It does not use a function block. You can change the icon used to 
represent this data. Try values between 1 and 7. Another version of this 
command is PostParent. PostParent is exactly the same except that it posts
the data to the parent node. 


------

ExpandThis();

	ExpandThis();

Expands the current node so all children are visible. This is very handy.
It operates only in context of the current node. 


------

PrintLED(string);

	PrintLED("-------------=Microsoft  ==Windows    ==System     ==           ==           =------------");

This is a cool little function. It prints whatever data you want to the
LED sign. Keep in mind the number of characters you are passing. Alignment
is crucial here. If you play with the command you will get the idea. 
See the examples in the default.spn file. Also, note that if you pass more 
charcaters than will fit on the sign at once, the sign will actually cycle 
through the entire string, giving you a sort of rudimentary ASCII animation. 


------

PlaySnd(filename.wav);

	PlaySnd("mushroom.wav");

This is something you want to use sparingly. Make sure your .wav file is
in the same directory w/ WSS. The thread is blocked until the wav file 
has completed, so this would slow you down significantly if you had sound
everywhere. However, it is very useful when you are running huge scans 
and you need to be alerted to a particular detail of some kind.

------
Script commands below this point are all version 1.0 and will not work
with older alpha versions
------

IfCompareHex(string){ function block }

	IfCompareHex("00 00 0A AA AC CD 3F 1A")
	{
	  # do something
	}

This is used mainly for packet analysis.  You can look for pattern of hex
code, just type a string of 2 character hexadecimal values.  You can then
do things like log the packet to a file.

-------

LogPacket("filename");

APPENDS the contents of this packet to a file.

-------

AddScript("filename");

Adds a script to the user-script window.

-------

IfIPDest("xxx.xxx.xxx.xxx") { function block }

Will execute the function block if the destination IP matches (dotted
decimal notation)

-------

IfIPSrc("xxx.xxx.xxx.xxx") { function block }

Will execute the function block if the source IP matches (dotted decimal
notation)

-------

Connect("ip address", "port"); #note port is a string, enclose in quotes

Establishes a TCP session.

IF ip address = "NIC" then the command will use the ip address of the 
target in a drag and drop operation.

i.e., Connect("NIC", "23"); will connect to the target's telnet port.  
These commands are expirimental.  Once you have connected, the script file 
has a session.  This is all in context of the current script file.  
Further read/write operations will operate on this socket.

-------

Send("string");

Sends the string over the current TCP session.  Limited in functionality
at this time.  Asmodeus interperets the following characters as script 
tokens:

"{"
"}"
"("
")"
","
";"
"\n"
"\r"
" "
"\t"
"\""
"#"

Within the string, you cannot have a quote charcater, else WSS will think
the string is complete. 

-------

Recv();

This forces a blocking receive operation on the session.  Once again, this
is testing.  All further IfCompare and IfCompareHex commands should operate
on this data.  Don't waste huge amounts of time writing attack scripts 
using these commands, as these are yet to be completed.

-------

CloseSocket();

Closes the session.

-------
 
The last thing to note. The scripting is very sensetive to mistakes. 
I have tried to do my best to catch typo's and mis-aligned function 
blocks.. but if you type a bunch of garbage into a script file, WSS isn't going to like it. So watch your coding very carefully.. if WSS does find weird stuff, it tries to report it to you.. and it also will make a backup of your database in case something goes haywire. 


-----------------------------------------
-Best regards.. please visit www.webtrends.com/wss for latest updates!

-Mar 26. 1998

